PMASA-2004-4

Announcement-ID: PMASA-2004-4

Date: 2004-12-13

Summary

Two vulnerabilities were found in phpMyAdmin, that may allow
command execution and file disclosure.

Description

We received a security advisory from Nicolas Gregoire (exaprobe.com)
about those vulnerabilities and we wish to thank him for his work.
Both vulnerabilites can be exploited only on a web server where PHP
safe mode is off.
The vulnerabilities apply to those points:

Command execution: since phpMyAdmin 2.6.0-pl2, on a system where
external MIME-based transformations are activated, an attacker can put
into MySQL data an offensive value that starts a shell command when browsed.

File disclosure: on systems where the UploadDir mecanism is active, read_dump.php can be called with a crafted form; using the fact that
the sql_localfile variable is not sanitized can lead to a file disclosure.

Severity

As any of those vulnerabilites can be used for command execution or file
disclosure, we consider them to be serious (on servers where PHP safe mode is off).

Affected Versions

Unaffected Versions

CVS HEAD has been fixed.
The 2.6.1-rc1 release.

Solution

We strongly advise everyone to upgrade to version 2.6.1 when released. Meanwhile, setting PHP safe mode to on avoids those problems. If not feasible, you should deactivate MIME-based external transformations and the UploadDir mecanism.